Behavior based authentication for touch screen devices

ABSTRACT

A method, system, and one or more computer-readable storage media for behavior based authentication for touch screen devices are provided herein. The method includes acquiring a number of training samples corresponding to a first action performed on a touch screen of a touch screen device, wherein the first action includes an input of a signature or a gesture by a legitimate user. The method also includes generating a user behavior model based on the training samples and acquiring a test sample corresponding to a second action performed on the touch screen, wherein the second action includes an input of the signature or the gesture by a user. The method further includes classifying the test sample based on the user behavior model, wherein classifying the test sample includes determining whether the user is the legitimate user or an imposter.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/857,155, filed Apr. 5, 2013, and entitled “BEHAVIOR BASEDAUTHENTICATION FOR TOUCH SCREEN DEVICES”, the application of which isincorporated herein in its entirety by reference.

BACKGROUND

Mobile computing devices equipped with touch screens have become veryprevalent. Many applications that were commonly executed on desktopcomputers in the past are now also being executed on such touch screendevices. For example, email applications, social networkingapplications, electronic commerce applications, and online bankingapplications are now being executed on touch screen devices.Authenticating users of touch screen devices is important because thedevices often contain sensitive data, such as personal photos, emailinformation, credit card numbers, passwords, business data, corporatesecrets, or the like, relating to the applications executing on thedevices.

According to existing procedures for authenticating users of touchscreen devices, the user either enters a password/PIN code or draws ageometric pattern on a grid of points in a predefined sequence. However,touch screen devices are often used in public settings. Therefore,attackers may be able to spy on users to determine the passwords/PINcodes or patterns for their touch screen devices relatively easily.Furthermore, attackers may be able to extract the passwords/PIN codes orpatterns for touch screen devices from recent user input based onsmudges or marks left on the touch screens by users' fingers, touchpens, or other touch input devices.

SUMMARY

The following presents a simplified summary of the present embodimentsin order to provide a basic understanding of some aspects describedherein. This summary is not an extensive overview of the claimed subjectmatter. It is intended to neither identify critical elements of theclaimed subject matter nor delineate the scope of the presentembodiments. Its sole purpose is to present some concepts of the claimedsubject matter in a simplified form as a prelude to the more detaileddescription that is presented later.

An embodiment provides a method for behavior based authentication fortouch screen devices. The method includes acquiring a number of trainingsamples corresponding to a first action performed on a touch screen of atouch screen device, wherein the first action includes an input of asignature or a gesture by a legitimate user. The method also includesgenerating a user behavior model based on the training samples andacquiring a test sample corresponding to a second action performed onthe touch screen, wherein the second action includes an input of thesignature or the gesture by a user. The method further includesclassifying the test sample based on the user behavior model, whereinclassifying the test sample includes determining whether the user is thelegitimate user or an imposter.

Another embodiment provides a touch screen device that includes a touchscreen, a processor that is adapted to execute stored instructions, anda system memory. The system memory includes code configured to acquire anumber of training samples corresponding to a first action performed onthe touch screen, wherein the first action includes an input of asignature or a gesture by a legitimate user. The system memory alsoincludes code configured to generate a user behavior model based on thetraining samples and acquire a test sample corresponding to a secondaction performed on the touch screen, wherein the second action includesan input of the signature or the gesture by a user. The system memoryfurther includes code configured to classify the test sample based onthe user behavior model, wherein classifying the test sample includesdetermining whether the user is the legitimate user or an imposter.

In addition, another embodiment provides one or more computer-readablestorage media for storing computer-readable instructions. Thecomputer-readable instructions provide for behavior based authenticationof a touch screen device when executed by one or more processingdevices. The computer-readable instructions include code configured toacquire training samples corresponding to a first action including aninput of a signature or a gesture on a touch screen of the touch screendevice, extract features corresponding to the action from the trainingsamples, and select a portion of the features that have consistentvalues for all of the training samples. The computer-readableinstructions also include code configured to extract behaviorscorresponding to the portion of the features from the training samples,partition the training samples into training groups based on thebehaviors corresponding to the portion of the features, and generate auser behavior model for each training group. The computer-readableinstructions also include code configured to acquire a test samplecorresponding to a second action including an input of the signature orthe gesture on the touch screen, extract the portion of the featuresthat have consistent values for all of the training samples from thetest sample, and extract test behaviors corresponding to the portion ofthe features from the test sample. The computer-readable instructionsfurther include code configured to classify the test sample by comparingthe test behaviors extracted from the test sample to the behaviorscorresponding to the training groups based on the user behavior models.

The following description and the annexed drawings set forth in detailcertain illustrative aspects of the claimed subject matter. Theseaspects are indicative, however, of but a few of the various ways inwhich the principles of the innovation may be employed and the claimedsubject matter is intended to include all such aspects and theirequivalents. Other advantages and novel features of the claimed subjectmatter will become apparent from the following detailed description ofthe innovation when considered in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computing environment that may be used toimplement a system and method for behavior based authentication fortouch screen devices;

FIG. 2 is a schematic showing ten gestures that may be used according tothe behavior based authentication procedure described herein;

FIG. 3 is a schematic showing an implementation of the behavior basedauthentication procedure described herein for a mobile phone;

FIG. 4 is a schematic showing an implementation of the behavior basedauthentication procedure described herein for a tablet computer;

FIG. 5 is a process flow diagram of the behavior based authenticationprocedure described herein; and

FIG. 6 is a process flow diagram of a method for behavior basedauthentication for touch screen devices.

DETAILED DESCRIPTION

According to existing procedures for authenticating users of touchscreen devices, the user either enters a password/PIN code or draws ageometric pattern on a grid of points in a predefined sequence. However,as discussed above, such procedures are susceptible to attempts byattackers to obtain users' sensitive data. Therefore, embodimentsdescribed herein are directed to a method, system, and one or morecomputer-readable storage media for behavior based authentication fortouch screen devices.

While existing authentication procedures for touch screen devices arebased only the actual data that is input by users, embodiments describedherein provide a behavior based authentication procedure that is basedon the actual data that is input by the users as well as the manner inwhich the data is input by the users. Specifically, according toembodiments described herein, the touch screen device requests the userto perform a particular action on the touch screen. The touch screendevice then extracts behavior features from the particular action. Suchbehavior features may include, but are not limited to, stroke time,inter-stroke time, displacement magnitude, displacement direction,pressure, velocity magnitude, and velocity direction. Because userstypically have unique and fairly consistent input behavior, it may beassumed that the extracted behavior features are specific to theparticular user. Therefore, the extracted behavior features may be usedto authenticate the user of the touch screen device.

According to embodiments described herein, particular actions that maybe performed by users include the input of a gesture or the input of apersonal signature. As used herein, the term “gesture” refers to a briefinteraction of a user's fingers with a touch screen. For example, agesture may include a swipe rightwards or a pinch with two fingers onthe touch screen. In addition, as used herein, the term “personalsignature” refers to a specific interaction of a user's fingers, touchpen, or other touch input device with the touch screen. For example, apersonal signature may include an input of a user's name In variousembodiments, behavior features may be extracted for a gesture or apersonal signature based on the actual input of the gesture or thepersonal signature as well as the manner in which the gesture orpersonal signature is input.

The behavior based authentication procedure described herein issignificantly more difficult to compromise than existing authenticationprocedures because it is difficult for attackers to emulate the behaviorof users by inputting gestures or personal signatures in a particularmanner Even if an attacker is somehow capable of perfectly reproducing auser's personal signature, it is highly unlikely that the attacker willbe able to reproduce the user's behavior of inputting the personalsignature on a touch screen device.

Many existing authentication procedures rely on biometric featuresrelating to users. Such biometric features may include users'fingerprints, DNA, irises, odors, hands, faces, or ears, among others.By contrast, the authentication procedure described herein relies onbehavior features relating to users rather than biometric features.Therefore, the authentication procedure described herein providessignificant advantages compared to authentication procedures that relyon biometric features. Specifically, the authentication proceduredescribed herein is secure against attempts to extract the passwords/PINcodes or patterns for touch screen devices from recent user input basedon smudges or marks left on the touch screens by users' fingers. Inaddition, the authentication procedure described herein does not rely onany additional hardware, such as fingerprint readers or the like, forextracting biometric features.

Furthermore, existing authentication procedures do not provide for theauthentication of users based on the manner in which they inputsignatures on touch screen devices using their fingers. Rather, existingauthentication procedures have only focused on signatures performed witha touch pen (either conventional or digital) and can be categorized intooffline signature verification procedures and online signatureverification procedures. Offline signature verification procedures usesignatures in the form of images, while online signature verificationprocedures use signatures in the form of time stamped data pointsmatched with training samples of the signatures. According to bothoffline and online signature verification procedures, features areextracted from the entire signature. By contrast, according to theauthentication procedure described herein, features are extracted onlyfrom those subparts of the signature that have consistent values offeatures across training samples.

As a preliminary matter, some of the figures describe concepts in thecontext of one or more structural components, variously referred to asfunctionality, modules, features, elements, or the like. The variouscomponents shown in the figures can be implemented in any manner, suchas via software, hardware (e.g., discrete logic components), orfirmware, or any combinations thereof. In some embodiments, the variouscomponents may reflect the use of corresponding components in an actualimplementation. In other embodiments, any single component illustratedin the figures may be implemented by a number of actual components. Thedepiction of any two or more separate components in the figures mayreflect different functions performed by a single actual component. FIG.1, discussed below, provides details regarding one system that may beused to implement the functions shown in the figures.

Other figures describe the concepts in flowchart form. In this form,certain operations are described as constituting distinct blocksperformed in a certain order. Such implementations are exemplary andnon-limiting. Certain blocks described herein can be grouped togetherand performed in a single operation, certain blocks can be broken apartinto plural component blocks, and certain blocks can be performed in anorder that differs from that which is illustrated herein, including aparallel manner of performing the blocks. The blocks shown in theflowcharts can be implemented by software, hardware, firmware, manualprocessing, or the like. As used herein, hardware may include computersystems, discrete logic components, such as application specificintegrated circuits (ASICs), or the like.

As to terminology, the phrases “configured to” and “adapted to”encompass any way that any kind of functionality can be constructed toperform an identified operation. The functionality can be configured to(or adapted to) perform an operation using, for instance, software,hardware, firmware, or the like.

The term “logic” encompasses any functionality for performing a task.For instance, each operation illustrated in the flowcharts correspondsto logic for performing that operation. An operation can be performedusing, for instance, software, hardware, firmware, or the like.

As used herein, the terms “component,” “system,” “server,” and the likeare intended to refer to a computer-related entity, either hardware,software (e.g., in execution), or firmware, or any combination thereof.For example, a component can be a process running on a processor, anobject, an executable, a program, a function, a library, a subroutine, acomputer, or a combination of software and hardware.

By way of illustration, both an application running on a server and theserver can be a component. One or more components can reside within aprocess, and a component can be localized on one computer and/ordistributed between two or more computers. The term “processor” isgenerally understood to refer to a hardware component, such as aprocessing unit of a computer system.

Furthermore, the claimed subject matter may be implemented as a method,apparatus, or article of manufacture using standard programming and/orengineering techniques to produce software, firmware, hardware, or anycombination thereof to control a computer to implement the disclosedsubject matter. The term “article of manufacture” as used herein isintended to encompass a computer program accessible from anycomputer-readable storage device or media.

Computer-readable storage media can include but are not limited tomagnetic storage devices (e.g., hard disk, floppy disk, and magneticstrips, among others), optical disks (e.g., compact disk (CD) anddigital versatile disk (DVD), among others), smart cards, and flashmemory devices (e.g., card, stick, and key drive, among others). Incontrast, computer-readable media (i.e., not storage media) generallymay additionally include communication media such as transmission mediafor wireless signals and the like.

In order to provide context for implementing various aspects of theclaimed subject matter, FIG. 1 and the following discussion are intendedto provide a brief, general description of a computing environment inwhich the various aspects of the subject innovation may be implemented.For example, a method and system for behavior based authentication fortouch screen devices can be implemented in such a computing environment.While the claimed subject matter has been described above in the generalcontext of computer-executable instructions of a computer program thatruns on a local computer or remote computer, those of skill in the artwill recognize that the subject innovation also may be implemented incombination with other program modules. Generally, program modulesinclude routines, programs, components, data structures, or the likethat perform particular tasks or implement particular abstract datatypes.

Moreover, those of skill in the art will appreciate that the subjectinnovation may be practiced with other computer system configurations.For example, the subject innovation may be practiced withsingle-processor or multi-processor computer systems, minicomputers,mainframe computers, personal computers, hand-held computing devices,microprocessor-based or programmable consumer electronics, or the like,each of which may operatively communicate with one or more associateddevices. The illustrated aspects of the claimed subject matter may alsobe practiced in distributed computing environments wherein certain tasksare performed by remote processing devices that are linked through acommunications network. However, some, if not all, aspects of thesubject innovation may be practiced on stand-alone computers. In adistributed computing environment, program modules may be located inlocal or remote memory storage devices.

FIG. 1 is a block diagram of a computing environment 100 that may beused to implement a system and method for behavior based authenticationfor touch screen devices. The computing environment 100 includes acomputer 102. The computer 102 may be any suitable type of touch screendevice, such as a mobile phone or tablet computer. The computer 102includes a processing unit 104, a system memory 106, and a system bus108. The system bus 108 couples system components including, but notlimited to, the system memory 106 to the processing unit 104. Theprocessing unit 104 can be any of various available processors. Dualmicroprocessors and other multiprocessor architectures also can beemployed as the processing unit 104.

The system bus 108 can be any of several types of bus structures,including the memory bus or memory controller, a peripheral bus orexternal bus, or a local bus using any variety of available busarchitectures known to those of ordinary skill in the art. The systemmemory 106 is computer-readable storage media that includes volatilememory 110 and non-volatile memory 112. The basic input/output system(BIOS), containing the basic routines to transfer information betweenelements within the computer 102, such as during start-up, is stored innon-volatile memory 112. By way of illustration, and not limitation,non-volatile memory 112 can include read-only memory (ROM), programmableROM (PROM), electrically-programmable ROM (EPROM), electrically-erasableprogrammable ROM (EEPROM), or flash memory.

Volatile memory 110 includes random access memory (RAM), which acts asexternal cache memory. By way of illustration and not limitation, RAM isavailable in many forms, such as static RAM (SRAM), dynamic RAM (DRAM),synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhancedSDRAM (ESDRAM), SynchLink™ DRAM (SLDRAM), Rambus® direct RAM (RDRAM),direct Rambus® dynamic RAM (DRDRAM), and Rambus® dynamic RAM (RDRAM).

The computer 102 also includes other computer-readable storage media,such as removable/non-removable, volatile/non-volatile computer storagemedia. FIG. 1 shows, for example, a disk storage 114. Disk storage 114may include, but is not limited to, a magnetic disk drive, floppy diskdrive, tape drive, Jaz drive, Zip drive, LS-100 drive, flash memorycard, or memory stick.

In addition, disk storage 114 can include storage media separately or incombination with other storage media including, but not limited to, anoptical disk drive such as a compact disk ROM device (CD-ROM), CDrecordable drive (CD-R Drive), CD rewritable drive (CD-RW Drive), or adigital versatile disk ROM drive (DVD-ROM). To facilitate connection ofthe disk storage 114 to the system bus 108, a removable or non-removableinterface is typically used, such as interface 116.

It is to be appreciated that FIG. 1 describes software that acts as anintermediary between users and the basic computer resources described inthe computing environment 100. Such software includes an operatingsystem 118. The operating system 118, which can be stored on diskstorage 114, acts to control and allocate resources of the computer 102.

System applications 120 take advantage of the management of resources bythe operating system 118 through program modules 122 and program data124 stored either in system memory 106 or on disk storage 114. It is tobe appreciated that the claimed subject matter can be implemented withvarious operating systems or combinations of operating systems.

A user enters commands or information into the computer 102 throughinput devices 126. According to embodiments described herein, inputdevices 216 include a touch screen. In addition, input devices 126 caninclude, but are not limited to, a pointing device (such as a mouse,trackball, stylus, or the like), a keyboard, a microphone, a voice inputdevice, a joystick, a satellite dish, a scanner, a TV tuner card, adigital camera, a digital video camera, a web camera, or the like. Theinput devices 126 connect to the processing unit 104 through the systembus 108 via interface port(s) 128. Interface port(s) 128 can include,for example, a serial port, a parallel port, a game port, and auniversal serial bus (USB). Output device(s) 130 may also use the sametypes of ports as input device(s) 226. Thus, for example, a USB port maybe used to provide input to the computer 102 and to output informationfrom the computer 102 to an output device 130.

An output adapter 132 is provided to illustrate that there are someoutput devices 130 such as a display (e.g., in the form of the touchscreen), speakers, and printers, among other output devices 130, whichare accessible via the output adapters 132. The output adapters 132include, by way of illustration and not limitation, video and soundcards that provide a means of connection between the output device 130and the system bus 108.

It can be noted that some devices and/or systems of devices provide bothinput and output capabilities. For example, the touch screen of thecomputer 102 provides both input and output capabilities.

The computer 102 can include logical connections to one or more remotecomputers, such as remote computer(s) 134. The remote computer(s) 134may be systems configured with web browsers, PC applications, mobilephone applications, and the like. The remote computer(s) 134 may bepersonal computers, servers, routers, network PCs, workstations,microprocessor based appliances, peer devices, or the like, and mayinclude many or all of the elements described relative to the computer102. For purposes of brevity, the remote computer(s) 134 are illustratedwith a memory storage device 136. The remote computer(s) 134 arelogically connected to the computer 102 through a network interface 138,and physically connected to the computer 102 via a communicationconnection 140.

Network interface 138 encompasses wired and/or wireless communicationnetworks such as local-area networks (LAN) and wide-area networks (WAN).LAN technologies include Fiber Distributed Data Interface (FDDI), CopperDistributed Data Interface (CDDI), Ethernet, Token Ring and the like.WAN technologies include, but are not limited to, point-to-point links,circuit switching networks like Integrated Services Digital Networks(ISDN) and variations thereon, packet switching networks, and DigitalSubscriber Lines (DSL).

Communication connection(s) 140 refers to the hardware and/or softwareemployed to connect the network interface 138 to the system bus 108.While communication connection 140 is shown for illustrative clarityinside the computer 102, it can also be external to the computer 102.The hardware and/or software for connection to the network interface 138may include, for example, internal and external technologies such asmobile phone switches, modems including regular telephone grade modems,cable modems and DSL modems, ISDN adapters, and Ethernet cards.

According to embodiments described herein, seven types of behaviorfeatures, including stroke time, inter-stroke time, displacementmagnitude, displacement direction, pressure, velocity magnitude, andvelocity direction, may be extracted from a particular action, e.g., aninput of a gesture or personal signature, by a user. However, it is tobe understood that embodiments described herein are not limited to theseseven behavior features. Rather, any number of alternative or additionalbehavior features may also be used. As used herein, “pressure” is theforce per unit area exerted by the user on the touch screen whileperforming the action. “Velocity” is a combined measure of speed (i.e.,velocity magnitude) and direction (i.e., velocity direction) forperforming the action. The “stroke time” of a stroke is the time takenby the user to complete that stroke. The “inter-stroke time” of a pairof strokes is the time taken by the user to start the next stroke aftercompleting the current stroke. During this time, the touch input device,e.g., the user's finger or the touch pen, is not in contact with thetouch screen. “Relative stroke displacement” is the displacement betweenadjacent strokes in the action. “Displacement” is a combined measure ofdistance (i.e., displacement magnitude) and direction (i.e.,displacement direction) between adjacent strokes.

The behavior features may be used to extract information about theactual action performed by the user, as well as the manner in which theaction is performed by the user. For example, information about theactual action performed by the user may be provided by the velocitydirection, displacement magnitude, and displacement direction for theaction. Information about the manner in which the action is performedmay be provided by the pressure, velocity magnitude, stroke times, andinter-stroke times for the action.

In various embodiments, appropriate time resolutions at which an actionis to be divided into subparts may be determined such that the featurevalues extracted from the subparts are consistent among differentsamples of the action. On one hand, if this resolution is too high, thefeature values of the same subpart from different samples will not beconsistent. On the other hand, if the resolution is too low, thedistinctive information from the features is too averaged out to beuseful for the authentication procedure. Furthermore, the timeresolution may be automatically adjusted for different locations of anaction because different locations have consistent feature values atdifferent time resolutions. In various embodiments, the action may bedivided into subparts at several time resolutions. Then, for each timeresolution, the consistency of feature values extracted from eachsubpart may be measured among different samples of the action. Theresulting coefficient of variation may be used to quantify consistency.All the subparts for which the coefficient of variation is below acertain threshold for a given feature may be selected for extracting thevalues of the given feature.

In various embodiments, a signature sanitization process may beperformed to identify the continuous strokes in a given signature thatare to be divided, as well as the appropriate locations to divide thecontinuous strokes. As used herein, the term “stroke” refers to acontinuous movement of a finger, touch pen, or any other suitable typeof touch input device on a touch screen during which contact with thescreen is not lost. Each user has a typical number of strokes in hissignature. However, a user may sometimes join consecutive strokes whiledoing his signature. Such a combined stroke may be split prior to theextraction of behavior features so that the strokes can be modeledconsistently. According to embodiments described herein, statisticaltechniques based on training data may be used to determine the typicalnumber of strokes in a user's signature. In addition, given a signature,the timing information of strokes from the training data may be used toidentify the candidate combined strokes in the signature. From thecandidate combined strokes, appropriate combined strokes for splittingmay be selected using the timing information of the respective strokesfrom the training data. A similar process may also be used to identifyand split combined strokes in the training data.

In some embodiments, multiple behaviors may be learned from the trainingsamples of a particular action. For example, a user may have multipleways of performing an action. Therefore, each way that the user mayperform the action may be modeled. According to embodiments describedherein, least possible minimum variance partitions of feature values maybe generated from all the samples of a given subpart such that eachpartition is consistent. If the number of consistent partitions of agiven subpart is below a certain threshold and the number of samples ineach partition is above another threshold, each partition may representa distinct behavior and, thus, may be used in training.

In various embodiments, it may be desirable to identify gestures for agiven user that result in a high true positive rate and a low falsepositive rate. To accomplish this, a user may be requested to providetraining data for a number of gestures, e.g., the ten gestures describedfurther with respect to FIG. 2. Machine learning techniques may be usedto obtain true positive and false positive rates for each gesture basedon the training data. The true positive and false positive rates maythen be used to rank the gestures, and the n highest ranked gestures maybe used for authentication of the touch screen device. The value of nmay be selected by the user, or may be automatically selected by thetouch screen device. A larger value of n corresponds to a higher levelof security for the touch screen device.

FIG. 2 is a schematic showing ten gestures 200A-J that may be usedaccording to the behavior based authentication procedure describedherein. As shown in FIG. 2, each gesture 200A-J may indicate theparticular position and orientation at which the gesture is to beperformed on the touch screen. In addition, each gesture 200A-J mayinclude one or more arrows indicating the number of fingers to be usedto perform the gesture 200A-J, as well as the specific direction(s) forperforming the gesture 200A-J. For example, a first gesture 200A mayinclude two swipes leftwards on the touch screen using tow fingers,while a third gesture 200C may include three swipes upwards on the touchscreen using three fingers.

FIG. 3 is a schematic showing an implementation of the behavior basedauthentication procedure described herein for a mobile phone 300.According to the implementation shown in FIG. 3, the user of the mobilephone 300 may use two fingers 302 to input a gesture, such as theseventh gesture 200G described above with respect to FIG. 2, on a touchscreen 304 of the mobile phone 300. Furthermore, the user may input anynumber of additional gestures, such as any of the gestures 200A-F and200H-J described with respect to FIG. 2, on the touch screen 304. Invarious embodiments, behavior features extracted from the input of thegestures 200A-J may then be used to authenticate the user of the mobilephone 300.

FIG. 4 is a schematic showing an implementation of the behavior basedauthentication procedure described herein for a tablet computer 400.According to the implementation shown in FIG. 4, the user of the tabletcomputer 400 uses a finger 402 to input his personal signature into asignature box 404 that is displayed on a touch screen 406 of the tabletcomputer 400. However, it is to be understood that the user may alsoinput his personal signature into the signature box 404 using a touchpen or other touch input device. In various embodiments, behaviorfeatures extracted from the input of the user's personal signature maythen be used to authenticate the user of the tablet computer 400.

The behavior based authentication procedure described herein may beimplemented by an application (or any suitable type of module includingprocessor executable code) executing on the touch screen device. Invarious embodiments, while the user of the touch screen device isperforming a particular action on the touch screen, the application maysample touch points and log the coordinates of the touch points as wellas the time stamp of sampling. The time stamp of the first touch pointof the action may be 0, and the time stamps of all subsequent touchpoints may be measured relative to the first time stamp. The samplingtime period for sampling touch points may be defined by the applicationprogramming interface (API) of the touch screen device. For example, thesampling time period may be defined as 8 milliseconds (ms) if the touchscreen device is a tablet computer, or 18 ms if the touch screen deviceis a mobile phone. If a touch pen is being used on the touch screen(rather than the user's fingers), the application may also log thepressure exerted by the touch pen on the touch screen for each sampledtouch point.

To treat each finger's movements independently in multi-finger gestures,it may be desirable to determine which touch points came from whichfingers. To accomplish this, the application may assign a uniqueidentifier to each touch source, e.g., each finger, that is in contactwith the touch screen and save the identifier of the touch source alongwith the coordinates and time stamp for each sampled touch point. Invarious embodiments, strokes in signatures may be processed separately.Therefore, it may be desirable to determine the times at which aparticular stroke starts and ends. To accomplish this, the applicationmay log whether each sampled touch point is the first point when thetouch source came in contact with the touch screen, an intermediatepoint when the touch source moved on the touch screen, or the last pointwhen the touch source lost contact with the touch screen.

For purposes of illustration, the behavior based authenticationprocedure is described herein with respect to an exemplary data set. Theexemplary data set includes data from a number of users. A first portionof the users may perform both signatures and gestures. A second portionof the users may perform only signatures, and the remaining portion ofthe users may perform only gestures. In addition, a number of users mayalso act as imposters to replicate the signatures of other users on atablet computer.

A number of the users may perform signatures on the touch screen of atablet computer using both a touch pen and their fingers. For each user,at least 100 signature samples may be performed using the touch pen, andat least 100 signature samples may be performed using their fingers. Toprevent the users from developing temporary behaviors, which oftenoccurs when the same action is performed many times, the users may berequested to perform no more than 10 signatures at a time before takinga break. Furthermore, a number of the users may perform signatures andgestures on the touch screen of a mobile phone using their fingers. Eachuser may be provided with a mobile phone executing the applicationdescribed herein, and may be requested to provide at least 50 samples ofsignatures and at least 30 samples of each of a number of gestures,e.g., each of the gestures 200A-J described with respect to FIG. 2, overa period of one week.

In various embodiments, two categories of features may be considered.One category includes features that contain information relating to aparticular action that was performed (e.g., information about whataction was performed), while the other category includes features thatcontain information relating to the manner in which a particular actionwas performed (e.g., information about how an action was performed). Insome embodiments, the values of seven types of features belonging tothese two categories may be used according to embodiments describedherein.

As used herein, the term “feature type” (or “type of a feature”) is abroad term that encompasses all the features of a particular kind. Forexample, stroke time is a type of feature. An action with x strokes willhave x features of this type.

In the following description, features that contain information relatingto the manner in which a particular action was performed, e.g., howfeatures, may be analyzed. The analysis of how features may be used toverify the hypothesis that users have distinct and consistent behaviorsfor performing actions on touch screens. In addition, features thatcontain information relating to the particular action that wasperformed, e.g., what features, may be analyzed. The analysis of whatfeatures may be used to show that, for actions that are visually alike,the features from this category are consistent regardless of whoperformed the actions.

Pressure is the first feature that may be used according to embodimentsdescribed herein. Pressure may be considered to be a how feature. Usershave distinguishing and consistent pattern of exerting pressure on thetouch screen while performing their signatures. Therefore, pressure canbe used to model how an action is performed.

Velocity magnitude is the second feature that may be used according toembodiments described herein. Velocity magnitude may be considered to bea how feature. Users have distinguishing and consistent patterns ofvelocity magnitudes for performing signatures and gestures. Morespecifically, the time series of velocity magnitudes of samples of anaction from the same user are highly consistent and are remarkablydifferent from the time series of velocity magnitudes of samples of anaction from a different user. Therefore, velocity magnitude can be usedto model how an action is performed.

Stroke time is the third feature that may be used according toembodiments described herein. Stroke time may be considered to be a howfeature. Users take a distinguishing and consistent amount of time whenperforming each stroke in an action. Therefore, stroke times can be usedto model how an action is performed.

For signatures, stroke times of an imposter do not lie within the smalltime range in which the corresponding stroke times of the legitimateuser lie. Therefore, the stroke times for signatures may be used todistinguish imposters from legitimate users. For gestures, thedistributions of stroke times of users are centered at different meansand have a very small overlap. Due to this insignificant overlap, thestroke times for gestures may also be used to distinguish imposters fromlegitimate users.

Inter-stroke time is the fourth feature that may be used according toembodiments described herein. Inter-stroke time may also be consideredto be a how feature. Users generally take a distinguishing andconsistent amount of time between consecutive strokes while performingactions on touch screens. Therefore, inter-stroke times can be used tomodel how an action is performed. More specifically, becauseinter-stroke times of an imposter typically do not lie within the smalltime range in which the corresponding inter-stroke times of thelegitimate user lie, inter-stroke times may be used to distinguishimposters from legitimate users. In some embodiments, inter-stroke timesmay be used for signatures and single finger gestures rather thanmulti-finger gestures because all fingers involved in performing amulti-finger gesture interact with the touch screen approximatelysimultaneously.

Magnitude of relative stroke displacement (i.e., displacement magnitude)is the fifth feature that may be used according to embodiments describedherein. Displacement magnitude may be considered to be both a howfeature and a what feature. For multi-finger gestures, users havedistinguishing and consistent displacement magnitudes between thecenters of consecutive strokes. However, for signatures, although usershave consistent displacement magnitudes between the centers ofconsecutive strokes, the displacement magnitudes are not distinct forlegitimate users versus imposters when the signature performed by theimposter looks similar to the original signature. Therefore, thedisplacement magnitudes can be used to model how a gesture is performedand what signature is performed, but not how a signature is performed.

For gestures, the distributions of displacement magnitudes betweenconsecutive strokes of users are centered at different means and have asmall overlap. The overlap is small because the extent to whichdifferent users keep their fingers apart while doing multi-fingergestures differs due to the difference in anatomical sizes of theirhands, which results in different displacement magnitudes betweenstrokes. Due to the insignificant overlap, displacement magnitudes maybe used to distinguish imposters from legitimate users.

For signatures, the displacement magnitudes in a well copied signatureby an imposter may lie within the range in which the correspondingdisplacement magnitudes in the original signature by the legitimate userlie. Therefore, displacement magnitudes may not be used to distinguishbetween the signatures of legitimate users and imposters. However,displacement magnitudes may be used to determine whether a testsignature looks visually similar to the original signature, sincesignatures that are visually similar will have similar displacementmagnitude values.

Velocity phase (i.e., velocity direction) is the sixth feature that maybe used according to embodiments described herein. Velocity directionmay be considered to be a what feature. Users have consistent patternsof velocity direction in signatures and gestures. However, thesepatterns may not be used to distinguish between actions of legitimateusers and imposters when the action performed by the imposter isvisually similar to the action performed by the legitimate user.Therefore, velocity direction may be used to model what action isperformed, but not how that action is performed.

Phase of relative stroke displacement (i.e., displacement direction) isthe seventh feature that may be used according to embodiments describedherein. Displacement direction may also be considered to be a whatfeature. Users have consistent patterns of displacement direction insignatures and gestures. However, these patterns may not be used todistinguish between the actions of legitimate users and imposters whenthe action performed by imposter is visually similar to the actionperformed by the legitimate user. Therefore, displacement direction maybe used to model what action is performed, but not how that action isperformed.

For signatures, the displacement directions in a well copied signatureby an imposter may lie within the range in which the correspondingdisplacement directions in original signature by a legitimate user lie.Therefore, displacement direction may not be used to distinguish betweensignatures of legitimate users and imposters. However, the displacementdirection may be used to determine whether a test signature is visuallysimilar to the original signature because signatures that look visuallysimilar will have similar displacement direction values. Furthermore,for gestures, the distributions of displacement direction of differentusers may have considerable overlap. Therefore, displacement directionmay not be used to distinguish imposters from legitimate users.

In various embodiments, the seven types of features described hereineither allow legitimate users to be distinguished from imposters basedon the manner in which legitimate users perform particular actions, orallow a determination to be made regarding whether a particular actionthat has been performed is the same as the action that was expected.Therefore, the use of the seven types of features in combination mayallow for the simultaneous determination of whether an action that wasperformed is the action that was expected and whether the action wasperformed by the legitimate user or an imposter.

The behavior based authentication procedure described herein may be usedto authenticate a user of a touch screen device based on his behavior ofperforming a particular action on the touch screen. This may beaccomplished using a model of the legitimate user's behavior ofperforming the particular action. Such a model may be developed usingsupport vector distribution estimation (SVDE).

FIG. 5 is a process flow diagram of the behavior based authenticationprocedure 500 described herein. The behavior based authenticationprocedure 500 may be implemented via a touch screen device or, morespecifically, via an application (or any suitable type of moduleincluding processor executable code) executing on the touch screendevice. In various embodiments, the behavior based authenticationprocedure includes a training procedure 502 and a testing procedure 504.

The model of the legitimate user's behavior of performing the particularaction may be developed in the training procedure 502. The trainingprocedure 502 begins at block 506. At block 508, training samples forthe particular action performed by the legitimate user are acquired.Specifically, the legitimate user may be requested to perform the actiona specific number of times on the touch screen of the touch screendevice. At block 510, the time series of the x—coordinates and they—coordinates of the action are passed through a filter to remove highfrequency noise.

If the action is a signature, the signature is sanitized at block 512.This may involve making the number of strokes for all the trainingsamples in the entire set of training samples equal. At block 514, thevalues of a number of different types of features, e.g., the seven typesof features discussed above, are extracted from the action. Toaccomplish this, each stroke in the action may be divided into subpartsat multiple time resolutions, and the pressure, velocity direction, andvelocity magnitude may be extracted from each subpart. The stroke timesand inter-stroke times of each stroke may also be determined, as well asthe displacement magnitude and displacement direction between thecenters of consecutive strokes in the action.

At block 516, features that have consistent values in all trainingsamples are selected by calculating the coefficient of variation foreach feature and comparing the coefficient of variation with athreshold. If the coefficient of variation of a feature is below thethreshold, i.e., cv≦T_(cv), the feature may be selected for use inbuilding the model of user behavior.

At block 518, multiple behaviors in all those features for which thecoefficients of variation are above the threshold are extracted, and thefeatures are kept for use in building the model. At block 520, thetraining samples are partitioned into training groups based on thefeatures that were kept for building the model. The training samples maybe partitioned such that the training samples in each training grouprepresent a distinct behavior of the user.

At blocks 522 and 524, a model of the user's behavior is built for eachtraining group. The model for each training group is built in the formof an SVDE based classifier trained on the training samples in thattraining group. In the case of gestures, the user is requested toprovide training samples for each of the ten gestures at block 526, andthe training procedure 502 is used to build a model of the user'sbehavior for each gesture. The true positive rate, false positive rate,and accuracy of classification for each gesture are calculated, and thegestures are ranked at block 528 according to any of those threemeasures (as selected by the user or automatically determined by thetouch screen device). This ranking is performed to determine whichgesture has the highest classification potential for the user.

Once the model of the user's behavior has been obtained via the trainingprocedure 502, the behavior based authentication procedure 500 proceedsto the testing procedure 504. The testing procedure 504 is used toauthenticate the user of the touch screen device.

The testing procedure 504 begins at block 530. At block 532, a testsample for the particular action is acquired. This may be accomplishedby requesting the user to perform a signature or to perform n gestures.In various embodiments, the user may specify whether the signature orthe gestures are to be used for authentication during the initial setupof the touch screen device. In some embodiments, if gestures are to beused for the testing procedure 504, the user may be requested to performthe n top gestures ranked during the training procedure 502.

At block 534, the time series of the x—coordinates and the y—coordinatesof the action are passed through a filter to remove high frequencynoise. If the action is a signature, the signature is sanitized at block536. At block 538, the values of all the features used for training theSVDE based classifiers are extracted.

At block 540, a classification decision on the extracted feature valuesof a given action is obtained from the trained classifier of eachtraining group. At block 542, it is determined whether the user is animposter or the legitimate user. In various embodiments, the user isdetermined to be legitimate if any of the classifiers indicate that theuser is legitimate. Further, in the case of gestures, classificationdecisions may be obtained for all n gestures, and a majority vote on then decisions may be used to determine whether the user is an imposter orthe legitimate user.

If the user is determined to be an imposter, the user may be blockedfrom accessing the touch screen device at block 544. On the other hand,if the user is determined to be the legitimate user, the user may beallowed to access the touch screen device at block 546.

The process flow diagram of FIG. 5 is not intended to indicate that theblocks of the behavior based authentication procedure 500 are to beexecuted in any particular order, or that all the blocks shown in FIG. 5are to be included in the behavior based authentication procedure 500 inevery implementation. Further, any number of additional blocks may beincluded within the behavior based authentication procedure 500,depending on the details of the specific implementation.

As discussed above, the time series of the x—coordinates and they—coordinates of the logged data points may be passed through a low passfilter to remove any high frequency noise. The time series of thex—coordinates and the y—coordinates of the logged data points maycontain high frequency noise due to the finite touch resolution ofcapacitive touch screens. This high frequency noise may affect thevelocity magnitudes and directions. As used herein, the term “high” isrelative to the frequency of non-noise components in human actions ontouch screens. Specifically, the time series of data points from humanactions on touch screens typically contain a majority of their energy infrequencies lower than 20 Hertz (Hz). Therefore, frequencies above 20 Hzmay be considered to be high frequencies.

Noise is particularly prominent for actions performed using fingersbecause capacitive touch screens determine the position of touch bycalculating the centroid of the area of the touch screen that is incontact with the finger. When the finger moves on the touch screen, itscontact area varies. This results in a change in the centroid value atevery instant, which in turn results in another source of noise inaddition to finite touch resolution.

In various embodiments, a simple moving average (SMA) filter is used toremove such high frequency noise. The simple moving average (SMA) is theunweighted mean of previous α data points. In some embodiments, thevalue of α may be set to 15 for time series corresponding to the use ofa finger, and the value of α may be set to 10 for time seriescorresponding to the use of a touch pen.

The combined strokes in a signature sample may be split because featuressuch as stroke time, inter-stroke time, displacement magnitude, anddisplacement direction depend on the number of strokes in a signature.If the number of strokes in a given signature sample is not consistentwith the number of strokes in other signature samples, it may bedifficult to relate the values of features from the given signaturesample with the values of features from the other signature samples.

Combined strokes occur whenever users do not completely lift theirfinger or the touch pen from the touch screen between consecutivestrokes while doing their signatures. The typical number of strokes insignature of a user may be determined by identifying the strokes withthe highest frequency in the training samples for the user's signature.If the number of strokes in a given signature is less than the typicalnumber of strokes for that signature, the signature may be referred toas an “inconsistent signature.” On the other hand, if the number ofstrokes in a given signature is equal to the typical number of strokesfor that signature, the signature may be referred to as a “consistentsignature.” The process of turning an inconsistent signature into aconsistent signature may be referred to as “signature sanitization.”

To perform signature sanitization, several steps may be performed.First, the next candidate stroke may be identified. The next candidatestroke may be a stroke in the inconsistent signature that is likely tobe a combined stroke and, therefore, is to be split. Second, theidentified candidate stroke may be split into an appropriate number ofstrokes. Third, it may be verified that the strokes obtained aftersplitting the candidate stroke are consistent with the correspondingstrokes in the consistent training samples of the signature. These threesteps may then be repeated (beginning with the first step) until theinconsistent signature becomes a consistent signature, or until all ofthe strokes of the inconsistent signatures have been split and theinconsistent signature is still not a consistent signature. In thelatter case, the inconsistent signature may be discarded. In variousembodiments, this process is used to sanitize all the inconsistentsamples in the training samples for the signature. Further, in someembodiments, if the number of strokes in the signature is greater thanthe typical number of strokes, the signature may simply be discardedwithout performing signature sanitization.

The following description provides a more detailed explanation of thethree steps for signature sanitization. As discussed above, the firststep is the identification of the next candidate stroke. In this firststep, the strokes in the inconsistent signature are sequentially scannedstarting with the first stroke to identify candidate strokes. Let n_(t)be the typical number of strokes in the consistent training samples fora given signature, and let n_(ic) be the number of strokes in theinconsistent training sample, where n_(ic)<n_(t). To determine whether astroke i of the inconsistent training sample is a candidate stroke, thestroke time of stroke i may be compared with the sum of stroke times andinter-stroke times of l+1 consecutive strokes, starting from stroke i upto stroke i+l, of the consistent training samples for the signature. Thevalue of 1 lies in the range [0, n_(t)-n_(c)]. If it is determined thatthe stroke time of the particular stroke of the inconsistent signatureis close enough to the sum of stroke times and inter-stroke times of cconsecutive strokes in the consistent training samples for thesignature, the stroke may be identified as the candidate stroke. Thesignature sanitization may then proceed to the next step of splittingthe candidate stroke. If no candidate strokes are found (which could bebecause the signature was performed by an imposter or because thesignature is not visually similar to the consistent signatures, forexample), the inconsistent signature may be discarded.

To formally describe how the stroke time of stroke i is compared withthe sum of stroke times and inter-stroke times of l+1 consecutivestrokes, i.e., strokes i to i+1, the following notations may be used.Let N be the number of training samples of the given signature. Withoutloss of generality, it may be assumed that all N training samples areconsistent. Let ^(ic)t_(i) be the stroke time of a stroke i (where1≦i≦n_(ic)) in the inconsistent signature, and let ^(ic){circumflex over(t)}_(i) be the inter-stroke time between strokes i and i+1 in theinconsistent signature. Similarly, let ^(t)t_(i)[j] be the stroke timeof a stroke i (where 1≦i≦n_(t)) in jth consistent training sample (where1≦i≦N) of the signature, and let ^(t){circumflex over (t)}_(i)[j] be theinter-stroke time between strokes i and i+1 in the jth consistenttraining sample of the signature. Let μ_(i) and {circumflex over(μ)}_(i) be respectively the means of stroke times of stroke i andinter-stroke times between strokes i and i+1 among the N consistenttraining samples of the signature, as defined below in Eq. (1).

$\begin{matrix}{{\mu_{i} = {\sum\limits_{j = 1}^{N}\; \frac{{{}_{}^{}{}_{}^{}}\lbrack j\rbrack}{N}}},{{\hat{\mu}}_{i} = {\sum\limits_{j = 1}^{N}\; \frac{{{}_{}^{} t \hat{}_{}^{}}\lbrack j\rbrack}{N}}}} & (1)\end{matrix}$

Let Cov(i, k) be the covariance between samples of stroke time of strokei and samples of stroke time of stroke k from the N consistent trainingsamples for the signature. Formally, Cov(i, k) may be defined as shownbelow in Eq. (2).

$\begin{matrix}{{{Cov}( {i,k} )} = {\sum\limits_{j = 1}^{N}\; \frac{( {{{{}_{}^{}{}_{}^{}}\lbrack j\rbrack} - \mu_{i}} )( {{{{}_{}^{}{}_{}^{}}\lbrack j\rbrack} - \mu_{k}} )}{N}}} & (2)\end{matrix}$

Similarly, let Côv(i, k) be the covariance between samples ofinter-stroke time between strokes i and i+1 and samples of inter-stroketime of strokes k and k+1 from the N consistent training samples for thesignature. Formally, Cô(i, k) may be defined as shown below in Eq. (3).

$\begin{matrix}{{C\hat{o}{v( {i,k} )}} = {\sum\limits_{j = 1}^{N}\; \frac{( {{{{}_{}^{} t \hat{}_{}^{}}\lbrack j\rbrack} - {\hat{\mu}}_{i}} )( {{{{}_{}^{} t \hat{}_{}^{}}\lbrack j\rbrack} - {\hat{\mu}}_{k}} )}{N}}} & (3)\end{matrix}$

Let Cov(i, k) be the covariance between samples of stroke time of strokei and samples of inter-stroke time of strokes k and k+1 from the Nconsistent training samples for the signature. Formally, Cov(i, k) maybe defined as shown below in Eq. (4).

$\begin{matrix}{{\overset{\_}{Cov}( {i,k} )} = {\sum\limits_{j = 1}^{N}\; \frac{( {{{{}_{}^{}{}_{}^{}}\lbrack j\rbrack} - \mu_{i}} )( {{{{}_{}^{} t \hat{}_{}^{}}\lbrack j\rbrack} - {\hat{\mu}}_{k}} )}{N}}} & (4)\end{matrix}$

Let μ_(il), σ_(il), and cv_(il) be the mean, standard deviation, andcoefficient of variation, respectively, of the sum of stroke times ofstrokes i to i+1 and inter-stroke times between these l+1 strokes in theN consistent training samples for the signature. Formally, μ_(il),σ_(il), and cv_(il) may be defined according to Eqs. (5)-(7).

$\begin{matrix}{\mspace{79mu} {\mu_{il} = {{\sum\limits_{x = i}^{i + l}\; \mu_{x}} + {\sum\limits_{x = i}^{i + l - 1}\; {\hat{\mu}}_{x}}}}} & (5) \\{\sigma_{il} = \sqrt{{\sum\limits_{x = i}^{i + l}\; {\sum\limits_{y = i}^{i + l}\; {{Cov}( {x,y} )}}} + {\sum\limits_{x = i}^{i + l - 1}\; {\sum\limits_{y = i}^{i + l - 1}\; {C\hat{o}{v( {x,y} )}}}} + {\sum\limits_{x = i}^{i + l}\; {\sum\limits_{y = i}^{i + l - 1}{\overset{\_}{Cov}( {x,y} )}}}}} & (6) \\{\mspace{79mu} {{cv}_{il} = \frac{\sigma_{il}}{\mu_{il}}}} & (7)\end{matrix}$

To determine whether a stoke i of the inconsistent signature is acombination of strokes i to i+l of the consistent signature, the meanμ_(il) and standard deviation σ_(il) of the sum of stroke times ofstrokes i to i+l and inter-stroke times between these l+1 strokes of theN consistent training samples for the signature may be calculated.Second, it may be determined whether the stroke time ^(ic)t_(i) of thisstroke i of the inconsistent signature lies within a constant factor cof cv_(il) times σ_(il) on either side of μ_(il). If it does, there is apossibility that this stroke i of the inconsistent signature is acombination of strokes i to i+1 of the consistent signature. Therefore,the stroke i of the inconsistent signature may be identified as acandidate stroke. The purpose of multiplying cv_(il) with σ_(il) is toscale the range around μ_(il), in which ^(ic)t_(i) can lie, according tothe extent of variation in the values of the sum of stroke times ofstrokes i to i+l and inter-stroke times between these l+1 strokes of theN consistent training samples for the signature. If the variation islarge (or small), it may be desirable to allow for a larger (or smaller)range around μ_(il) in which ^(ic)t_(i) can lie. This is automaticallyaccomplished using cv_(il).

Formally, a stroke i may be identified as a candidate stroke if itsstroke time ^(ic)t_(i) satisfies the condition shown below in Eq. (8).

μ_(il) −c−cv _(il)×σ_(il)≦^(ic) t _(i)≦μ_(il) +c+cv _(il)+σ_(il)   (8)

As discussed above, the second step in signature sanitization issplitting combined strokes. The candidate stroke i may be split into l+1strokes corresponding to the strokes i to i+1 of consistent trainingsamples of the signature. This may be accomplished by removing thoseparts from the candidate stroke that are not present in typicalsignatures. Specifically, the means of stroke times of strokes i to i+1(i.e., μ_(i) to μ_(i+l)) and means of inter-stroke times between thesel+1 strokes (i.e., {circumflex over (μ)}_(i) to {circumflex over(μ)}_(i+l−1)) may be calculated from the N consistent training samplesfor the signature. The l portions of the candidate stroke i whose timescorrespond to the 1 mean inter-stroke times (i.e., μ_(i) to û_(i+l−1))of the consistent signatures may then be removed. This may result in thesplitting of the candidate stroke into the desired l+1 strokes.

To formally explain which l portions of candidate stroke i are to beremoved, the instantaneous time of drawing the coordinate stoke i may berepresented by t, where 0≦t≦^(ic)t_(i). All the points from thesignature for which the instantaneous time satisfies the condition shownbelow in Eq. (9) may be removed.

$\begin{matrix}{{\frac{\mu_{i + k} + {\sum\limits_{x = i}^{i + k - 1}\; ( {\mu_{x} + {\overset{\_}{\mu}}_{x}} )}}{\mu_{il}} \times {{}_{}^{}{}_{}^{}}} < t < {\frac{\sum\limits_{x = i}^{i + k}\; ( {\mu_{x} + {\overset{\_}{\mu}}_{x}} )}{\mu_{il}} \times {{}_{}^{}{}_{}^{}}}} & (9)\end{matrix}$

In Eq. (9), 0<k<l. The numerator in the fraction on the left hand sideof Eq. (9) represents the sum of average stroke times of strokes i toi+k and inter-stroke times between these k+1 strokes in the consistenttraining samples. The numerator in the fraction on the right hand sideof Eq. (9) represents the sum of average stroke times of strokes i toi+k and k+1 average inter-stroke times between strokes i to i+k+1. Thedenominator in both of the fractions of Eq. (9) is the sum of averagestroke times of strokes i to i+1 and the inter-stroke times betweenthese l+1 strokes. The left hand side of Eq. (9) calculates the value ofinstantaneous time at which the contact between the touch input deviceand the touch screen is to have been removed by the user to end strokenumber i+k, while the right hand side of Eq. (9) calculates the value ofthe instantaneous time at which the contact between the touch inputdevice and the touch screen is to have been reestablished by the user tostart stroke number i+k+1 (which the user did not do, resulting in acombined stroke). Therefore, all the data points for which theinstantaneous time satisfies the condition in Eq. (9) may be removedfrom the candidate stroke i, and l+1 strokes may be generated from thecandidate stroke.

As discussed above, the third step of signature sanitization isverification. It may be verified whether the stroke times of the l+1strokes obtained by splitting the candidate stroke i are consistent withthe stroke times of the corresponding strokes in the consistent trainingsamples for the signature. If verified, the strokes resulting fromsplitting the candidate stroke may be kept. Otherwise, the strokes maybe discarded, and the candidate stroke may remain as is. It may then bedetermined whether either of the stopping conditions has been met. Ifneither stopping condition has been met, the signature sanitization maybegin searching for the next candidate stroke at the first step.

To verify that the stroke times of the l+1 new strokes are consistentwith the stroke times of the corresponding strokes in the consistenttraining samples, the means μ_(x) and standard deviationsσ_(x)(=√{square root over (Cov(x, x))}) of the stroke times of each ofthe corresponding l+1 strokes (i.e., ∀x ∈[i, i+l]]) in the consistenttraining samples for the signature may be calculated. Second, it may bedetermined whether the time ^(s)t_(x) of each new stroke obtained aftersplitting the candidate stroke lies within a constant factor c of cv_(x)times σ_(x) on either sides of μ_(x), where cv_(x) is the coefficient ofvariation of the stroke times of stroke x in the consistent trainingsamples for the signature and is given by cv_(x)=σ_(x). The intuition ofmultiplying cv_(x) with σ_(x) is the same as that of multiplying cv_(il)with σ_(il) according to Eq. (8). If ∀x ∈[i, i+l]], ^(s)t_(x) lieswithin this range. The signature sanitization may then be considered tobe correct, and the split strokes may be kept. Formally, the signaturesanitization may be considered to be correct if the condition shownbelow in Eq. (10) holds for all split strokes.

μ_(x) −c×cv _(x)×σ_(x)≦^(s)t_(x)≦μ_(x) +c×cv _(x)×σ_(x)   (10)

Pseudocode that may be used to perform signature sanitization is shownbelow.

  Input: (1) Inconsistent signature sample S with n_(c)strokes    (2) Nconsistent training samples with n_(t)strokes each Output: (1)Sanitization status F_(S) ∈{True, False}    (2) Resulting signatureafter sanitization S’ S’← S for i:= 1 to n_(c)do   F_(v) ← false   forl:= 0 to n_(t)- n_(c)do    if ^(tc)t₁ satisfies Eq. (8)then     for k:=0 to l - 1do      Remove data points for which tsatisfies Eq. (9)    end     for x:= i to i + ldo      F_(v) ← true      if ^(s)t_(x)does not satisfy Eq. (10) then       F_(v) ← false       Break innermostfor loop      end     end   end   if F_(v) is true then     Replacecandidate stroke i with i + 1 strokes in S’     n_(c) ← n_(c) + 1     i= i+ l + 1     Break innermost for loop   end   else     Keep candidatestroke iin S’   end  end  if n_(c) == n_(t) then   F_(s) ← true   return(F_(s), S’)  end  end  F_(S) ← false  S’← S  return (F_(S), S’)

The following description provides a detailed explanation of the mannerin which the values of the seven types of features are extracted, aswell as the manner in which appropriate features for building the modelof the user's behavior are selected using SVDE based classifiers. Invarious embodiments, “stroke based features,” which may include stroketime, inter-stroke time, displacement magnitude, and displacementdirection, as well as “sub-stroke based features,” which may includevelocity magnitude, velocity direction, and device acceleration (orpressure), are extracted from training samples for the action.

In some embodiments, to extract the stroke time of a stroke based on thetime stamps of touch points, the time duration between the time of thefirst touch point and the time of the last touch point for the stroke iscalculated. To extract the inter-stroke time between two consecutivestrokes in an action based on the time stamps of the touch points, thetime duration between the time of the first touch point of the firststroke and the time of the first touch point of the second stroke may becalculated. In various embodiments, the inter-stroke times between allpairs of consecutive strokes in an action are calculated. To extract thestroke displacement magnitude between any two strokes in an action, theEuclidean distance between the centers of the two bounding boxes of thetwo strokes may be calculated. A bounding box of a stroke is thesmallest rectangle that contains the stroke. To extract strokedisplacement direction between any two strokes in an action, thearc-tangent of the ratio of the magnitudes of the vertical component andthe horizontal component of the stroke displacement vector directed fromthe center of one bounding box to the center of the other bounding boxmay be calculated. In various embodiments, the stroke displacementmagnitude and stroke displacement direction are calculated from allpairs of strokes in an action.

Given N training samples, for each feature element, all N values may bepartitioned into the least number of minimum variance partitions, wherethe coefficient of variation for each partition is below a threshold.Let

_(k) represent a partitioning of N values of a feature element into kpartitions. Let Q_(k) represent a different partitioning of N values ofthe same feature element into k partitions. Let σ_(i) ²(

_(k)) represent the variance of values in partition i of partitioning

_(x), where 1i≦k. Let σ_(i) ²(Q_(k)) represent the variance of values inpartition i of partitioning Q_(k). Partitioning

_(k) is the minimum variance partitions if and only if the conditionshown below in Eq. (11) holds for any Q_(k).

max i  ( σ i 2  ( k ) ) ≤ max i  ( σ i 2  ( ) ) ( 11 )

To find the least number of minimum variance partitions for which thecoefficient of variation is below the threshold, the number of minimumvariance partitions may be increased starting from 1 until thecoefficient of variation is below the threshold. To obtain k minimumvariance partitions, where 1≦k≦N, agglomerative hierarchical clusteringmay be used with Ward's method. Ward's method may allow for thedetermination of any number of partitions by cutting the dendrogrambuilt by agglomerative hierarchical clustering at an appropriate level.

After the least number of minimum variance partitions for which thecoefficient of variation for each partition is below the threshold hasbeen found, a determination may be made about whether to select thefeature element. If the least number of minimum variance partitions isless than or equal to the number of postures for which the trainingsamples were obtained, the feature element may be selected. Otherwise,the feature element may be discarded. Note that, if the number ofpostures for which the training samples were obtained is unknown, thenumber of postures may be assumed to be equal to 1.

As discussed above, sub-stroke based features may include velocitymagnitude, velocity direction, and device acceleration. To extractvalues for these features, each stroke may be segmented intosub-strokes. Each stroke may be segmented into sub-strokes because, atdifferent segments of a stroke, the speed and direction of movement ofthe finger often varies. In addition, at different segments of a stroke,the acceleration of the device often varies.

It may be desirable to segment a stroke into sub-strokes such that thevelocity magnitude, velocity direction, and device accelerationinformation measured at each sub-stroke characterizes the distinguishingbehaviors of the user who performed the stroke. Given N strokesperformed by one user and the appropriate time duration p as thesegmentation guideline, each stroke may be segmented into the samenumber of segments such that, for each stroke, the same number offeature elements is obtained. However, because different strokes havedifferent time durations, segmenting each stroke into sub-strokes oftime duration p may not result in the same number of segments for eachstroke. To address this issue, the value of

$\lceil \frac{t}{p} \rceil$

may be calculated for each stroke, where t is the time duration of thestroke. From the resulting N values, the most frequent value, denoted s,may be used as the number of sub-strokes into which each stroke is to besegmented. Finally, each stroke may be segmented into s sub-strokes,where each sub-stroke has the same time duration.

After segmenting all strokes into sub-strokes, the velocity magnitude,velocity direction, and device acceleration may be extracted from eachsub-stroke. To calculate velocity magnitude and direction, thecoordinates of the starting and ending points of the sub-stroke may beobtained. However, the starting and ending points of a sub-stroke, whichis segmented from a stroke based on time duration, often do not lieexactly on touch points reported by the touch screen device. Thecoordinates from any end point that lies between two consecutive touchpoints reported by the touch screen device may be calculated byinterpolating between these two touch points. Let (x_(i), y_(i)) be thecoordinates of a touch point with time stamp t_(i), and let (x_(i+1),y_(i+i)) be the coordinates of the adjacent touch point with time stampt_(i+1). Suppose the time stamp of an end point is equal to t, wheret_(i)<t<t_(i+1). The coordinates (x, y) of the end point may then becalculated based on the straight line between (x_(i), y_(i)) and(x_(i+1), y_(i+i)), as shown below in Eqs. (12) and (13).

$\begin{matrix}{x = {{\frac{( {t - t_{i}} )}{( {t_{i + 1} - t_{i}} )} \times ( {x_{i + 1} - x_{i}} )} + x_{i}}} & (12) \\{y = {{\frac{( {t - t_{i}} )}{( {t_{i + 1} - t_{i}} )} \times ( {y_{i + 1} - y_{i}} )} + y_{i}}} & (13)\end{matrix}$

The velocity magnitude of each sub-stroke may be extracted bycalculating the Euclidean distance between the starting and endingpoints of the sub-stroke divided by the time duration of the sub-stroke.The velocity direction of each sub-stroke may be extracted bycalculating the arc-tangent of the ratio of the magnitudes of thevertical component and the horizontal component of the velocity vectordirected from the starting point to the ending point of the sub-stroke.In addition, the device acceleration during each sub-stroke may beextracted by averaging the device acceleration values reported by thetouch screen device at each touch point in that sub-stroke in all threedirections, with the device being the origin.

In some embodiments, it may be desirable to determine an appropriatesub-stroke time duration. On one hand, when the sub-stroke time durationis too small, the behavior information extracted from each sub-stroke ofthe same user may become inconsistent because, when feature valuesbecome instantaneous, they are unlikely to be consistent for the sameuser. On the other hand, when the sub-stroke time duration is too large,the behavior information extracted from each sub-stroke of differentusers may become similar because the unique dynamics of individual usersmay not be distinguishable. Therefore, it may be desirable to determinea suitable trade-off between consistency and distinguishability whendetermining an appropriate sub-stroke time duration.

In order to determine an appropriate sub-stroke time duration, a metricreferred to as “consistency factor” may be defined. Given a set ofsamples of the same stroke, which are segmented using time duration p asthe guideline, let m be the number of sub-strokes, and let c be thenumber of sub-strokes that have the consistent behavior for a particularfeature. The consistency factor of this set of samples under timeduration p may be defined as

$\frac{c}{m}.$

For simplicity, the term “combined consistency factor” may be used torefer to the consistency factor of the set of all samples of the samestroke from all users, and the term “individual consistency factor” maybe used to refer to the mean consistency factor of the set of allsamples of the same stroke from the same user. In various embodiments,the individual consistency factors typically increases as the sub-stroketime duration p is increased. In addition, the combined consistencyfactor typically decreases when p is in the range from about 30 ms to 60ms. These observations are also true for measurements relating tovelocity magnitude, velocity direction, and device acceleration.Therefore, when the sub-stroke time duration is between 30 ms and 60 ms,users may have distinguishing behaviors for the features of velocitymagnitude, velocity direction, and device acceleration.

So far, it has been assumed that all sub-strokes segmented from a strokehave the same time duration. However, in reality, users have consistentand distinguishing behavior for sub-strokes of different time durations.Therefore, it may be desirable to find such sub-strokes of differenttime durations. The entire time duration of a stroke may be representedas a line with the initial color of white. Given a set of samples of astroke performed by one user under b postures, the stroke may besegmented with the time duration p=60 ms and the number of minimumvariance partition k=1. For each resulting sub-stroke, the coefficientof variation of the feature values extracted from the sub-stroke may bemeasured. If the coefficient of variation is lower than the threshold,the sub-stroke with k minimum variance partitions may be chosen as afeature element, and the sub-stroke may be colored in the line as black.After this round of segmentation, if there are any white sub-strokes,the next round of segmentation may be performed on the entire strokewith p=55 ms and the number of minimum variance partition k stillbeing 1. In this round, the coefficient of variation may be measured forany sub-stroke whose color is completely white. If the coefficient ofvariation is lower than the threshold, the sub-stroke with k minimumvariance partitions may be chosen as a feature element, and thesub-stroke may be colored in the line as black. This process may becontinued by decrementing the time duration p by 5 ms in each rounduntil there are no white regions of length larger than or equal to 30 msleft in the line, or until p is decremented to 30 ms. If p isdecremented to be 30 ms and there are still white regions of lengthlarger than or equal to 30 ms, k may be increased by 1, and p may bereset to 60 ms. The process may then be repeated. The last possibleround may be with k set to a value of b and p set to 30 ms. The wholeprocess may terminate when there are no white regions of length largerthan or equal to 30 ms.

Pseudocode that may be used for the extraction and selection of featuresis shown below.

Input: (1) N training samples of action with n_(t) strokes each    (2)Number of postures B    (3) Threshold T_(cv) Output: (1) An N × F array,O_(fv), containing N extracted feature vectors, each with F    extractedand selected feature elements     (2) An N × F array, O_(BId),containing the behavior ID    of each value in 0_(fv) idx ← 1; Q ←[0]_(N×4×n) _(t) for f ∈{stroke times, inter-stroke times, stroke dispmag, stroke disp dir} do   for j: = 1 to N do    for i: = 1 to n_(t) do    Q[j, f, i] ← Extract feature type f from stroke i of sample j    end  end end for f ∈{stroke times, inter-stroke times, stroke disp mag,stroke disp dir} do   for i: = 1 to n_(t) do    [k, BIds, Flag] ←ExtractBehaviors(Q[1: N, f, i], T_(cv), b)    if Flag == true then    O_(ƒv) [1: N, idx] ← Q[1: N, f, i]     O_(BId)[1: N, idx] ← BIds    idx ← idx + 1    end   end end Q ← [O]_(N×1) for f ∈{velocity mag,velocity dir, device acc} do   for i := 1 to n_(t) do    Color thestroke white    for k := 1 to b do     for p := 60 ms to 30 ms step − 5ms do      s= getNumSubStrokes(N samples of stroke i, p)      for q: = 1to s do       if sub-stroke q is completely white then        Q ←Extract feature type f from Nsamples of sub-strokes q        [k, BIds,Flag] ←ExtractBehaviors(Q, T_(cv),k)        if Flag = true &&k == k then        O_(ƒv)[1: N, idx] ← Q         O_(BId)[1: N, idx] ← BIds        idx ← idx + 1         Color sub-stroke q black         if strokedoes not have a white region larger than or         equal to 30 ms then         return O_(ƒv), O_(BId)         end        end       end     end     end    end   end end return O_(ƒv), O_(BId)ExtractBehaviors Input: (1) R_(N×1), N values of a feature element    (2) Threshold T_(cv)     (3) b, maximum allowed number of minimumvariance partitions Output:(1) k, number of minimum variance partitionsmade    (2) BIds, contains behavior ID of each value in R    (3) Flag,status of making minimum variance partitions for k = 1 to b do   BIds =Assign clusternumber to each element in   R using Ward's method,   where1 ≦ clusternumber ≦ k   Flag ← true   for z = 1 to k do    if cv ofvalues in cluster z > T_(cv) then     Flag ← false     Break innermostfor loop    end   end   if Flag == true then    return k, BIds, Flag  end end return NULL. NULL, false getNumSubStrokes Input: (1) N samplesof stroke i    (2) p, time duration for making sub-strokes Output: (1)number of strokes maxSS ← max_(j)(ceil(stroke time of sample j/p)) minSS← min_(j)(ceil(stroke time of sample j/p)) hist ← [0]_(1×maxSS−minSS+1)

← [0]_(1×)_max−_min+1 for j: = 1 to N do   idx_(hist) ← ceil(stroke timeof stroke j/p) − minSS + 1   hist[idx_(hist)] ← hist[idx_(hist)] + 1 endreturn max_(l)(hist[l])

Once the features to be used in training the classifiers have beendetermined, the values of the features may be arranged to make traininginstances for each sample of the action. For each sample of the action,the selected stroke times (i.e., stroke times with no more than Bbehaviors) of the strokes in the sample may be determined first,followed by the selected inter-stroke times, the displacementmagnitudes, and the displacement directions. The pressure values fromall x—consistent (∀x ∈[1, B]) subparts made for pressure may bedetermined next, followed by the velocity magnitudes and the velocitydirections for their own x—consistent subparts. Note that differentnumbers of x—consistent subparts may be determined for the pressure, thevelocity magnitude, and the velocity direction. Also note that, in alltraining instances, the feature at location i is extracted from the same(sub)part of all training samples of the action.

In various embodiments, the training instances may be partitioned intotraining groups representing different behaviors of the user. Thebehaviors of the user may be modeled for each training group using SVDEbased classifiers. An unseen sample of the action may then be classifiedusing the user behavior models. Specifically, a user corresponding tothe unseen sample may be classified as either a legitimate user or animposter. This entire process is discussed in more detail below.

The training instances may be partitioned into training groups such thatany given feature in the training instances of a given training grouphas exactly one behavior. Thus, each training group may representexactly one distinct behavior of the user when performing the action.Such training groups may allow each behavior of the user to be modeledseparately.

As discussed above, agglomerative hierarchical clustering is performedfor each of the features in the training instances. Therefore, thenumber of behaviors for each feature in the training instances isalready known, as well as the behavior to which each value of a givenfeature belongs. Using this information, the training groups may begenerated by simply grouping together the training instances in whichthe value of each feature represents the same behavior. The traininggroups for which the number of training instances is below a threshold,T_(tg), may be discarded because such training groups do not have enoughinformation to correctly model the user behavior. In some embodiments,T_(tg) may be set to 20.

In real world deployments, training samples are typically only availablefrom the legitimate user. When training samples are available only fromone class (i.e., the legitimate user) but test samples are availablefrom two classes (i.e., the legitimate user and imposters), supportvector distribution estimation (SVDE) may be used to model the trainingsamples obtained from the one class. The model(s) may then be used toclassify the test samples obtained from the two classes. In someembodiments, the open source implementation of SVDE may be used to modelthe behaviors of a user and classify unseen test samples. In addition,each training group may be processed separately when modeling the userbehaviors.

The values of each feature in the training instances may be scaled suchthat the values are within the range [0, 1]. This may prevent featuresin greater numeric ranges from dominating features in smaller numericranges. Appropriate values for γ, a parameter for radial basis function(RBF) kernel, and v, a parameter for SVDE, may then be found. Theappropriate values of } and v may be determined by performing a gridsearch on the ranges 2⁻¹⁷≦γ≦2⁰ and 2⁻¹⁰≦v>2⁰ with 10-fold crossvalidation on the training instances in the training group beingprocessed.

As the training instances are only from one class (i.e., the legitimateuser), cross validation during grid search only measures the truepositive (TP) rate. In various embodiments, the TP rate may be differentfor different values of parameters, and there may be a region on asurface resulting from the grid search where the TP rate is particularlyhigh. Selecting parameter values with higher TP rates increases thelikelihood that false positives (FP) will be obtained, while selectingparameter values with lower TP rate can become a source of nuisance dueto greater rejections of the legitimate user.

Once a TP rate has been selected, the coordinates of the points on thecontour of the TP rate on the surface resulting from the grid search maybe obtained. From the points on this contour, z points may be randomlyselected, where each of the z points provides a pair of values of γ andv. For each of the z pairs of parameter values, an SVDE classifier maybe trained using the training instances from the current training group.Therefore, for each training group, an ensemble of z parallel models maybe obtained. The ensemble of z parallel models may then be used toclassify any unseen test sample.

The following pseudocode may be used to train SVDE classifiers togenerate a model of user behavior.

  Input: (1) O_(ƒv), containing selected feature values    for eachtraining sample    (2) O_(BId),containing the behaviors IDs    of eachvalue in O_(ƒv)    (3) Required true positive rate, TP    (4)Classifiers in ensemble, z    (5) Minimum number of samples required   to make training groups, T_(tg) Output: (1) Set E of ensembles ofclassifiers TG ←Set of training groups made from instances in O_(ƒv)using O_(BId) E ← φ  for i := 1 to |TG| do   if |TG[i]| ≧ T_(tg) then   Scale the values of all features in the    range [0, 1] for γ := 2⁻¹⁷to 2⁰ do     for v := 2⁻¹⁰ to 2⁰ do      G [γ, ν] ← Calculate truepositive rate      using 10-fold cross validation for      parametervalues γ and ν     end    end    Z ← z random points from contour of G   with true positive rate TP    for z := 1 to |Z| do     e[z] ← Trainclassifier with coordinates     of z on TG[i]    end    E ← E ∪ e   endend return E

To classify an unseen test sample of the action, a test instance thathas the same set of features as the set of features in each traininginstance may be generated. The value of each feature in this testinstance may be extracted from the same (sub)part of the test sample asthe (sub)part of the training sample from which the value of thecorresponding feature in a training instance was extracted. To determinewhether the unseen test sample is from the legitimate user or animposter, a classification decision for the unseen test instance may beobtained from each ensemble of classifiers corresponding to eachtraining group. If any of the ensembles declare the unseen test sampleto be from the legitimate user, the user corresponding to the unseentest sample may be declared to be the legitimate user. However, if noneof the ensembles declare the test sample to be from the legitimate user,the user corresponding to the unseen test sample may be declared to bean imposter.

The following pseudocode may be used to classify a user corresponding toa specific test sample as either a legitimate user or an imposter.

  Input: (1) Test Sample    (2) E, the ensemble of classifiers    (3)Information about which (sub)parts to extract    features from and howto    arrange the features    (4) Information about scaling factorOutput: (1) Decision

 ∈{Legitimate, Imposter} Extract, arrange, and scale features from testsample using information of (sub)parts, arrangement, and scaling fromtraining for ∀e ∈ E do  

 ←Evaluate test instance with ensemble e  

 == Legitimate then   Break for loop  end end return

In various embodiments, if the user corresponding to the unseen testsample is declared to be the legitimate user, the user may be allowed toaccess the touch screen device on which the action was performed. Forexample, the action performed by the user may satisfy the lock functionon the touch screen device, and, thus, the touch screen device may beunlocked. However, if user corresponding to the unseen test sample isdeclared to be an imposter, the user may not be allowed to access thetouch screen device on which the action was performed. For example, theaction performed by the user may not satisfy the lock function on thetouch screen device, and, thus, the touch screen device may not beunlocked.

FIG. 6 is a process flow diagram of a method 600 for behavior basedauthentication for touch screen devices. The method 600 may beimplemented within any suitable type of touch screen device, such as amobile phone, tablet computer, laptop computer, or the like. Moreover,in some embodiments, the method 600 may be implemented within thecomputing environment 100 described with respect to FIG. 1.

According to embodiments described herein, the method 600 is used toauthenticate the user of the touch screen device based on the user'sbehavior of performing a particular action. The particular action mayinclude the input of the user's personal signature or the input of oneor more gestures on the touch screen of the device. The particularaction may be performed on the touch screen of the device via the user'sfinger(s), a touch pen, or any other suitable type of touch inputdevice.

The method 600 begins at block 602, at which training samplescorresponding to a first action performed on the touch screen of thetouch screen device are acquired. The first action includes an input ofa signature or a gesture by a legitimate user. If the first actionincludes the input of a gesture, the first action may be performed usingone or more of the user's fingers. However, if the first action includesthe input of a signature, the first action may be performed using one ormore of the user's fingers, a touch pen, or any other suitable type oftouch input device.

At block 604, a user behavior model is generated based on the trainingsamples. Specifically, features corresponding to the first action may beextracted from the training samples, and a portion of the features thathave consistent values for all of the training samples may be selected.Behaviors corresponding to the portion of the features from the trainingsamples may be extracted, and the training samples may be partitionedinto training groups based on the behaviors corresponding to the portionof the features. Each training group may correspond to one of thebehaviors. A user behavior model may then be generated each traininggroup. In various embodiments, generating the user behavior model foreach training group includes training a support vector distributionestimation (SVDE) based classifier for each training group.

At block 606, a test sample corresponding to a second action performedon the touch screen is acquired. The second action includes an input ofthe signature or the gesture by a user. When the test sample isacquired, the identity of the user who performed the second action isunknown.

At block 608, the test sample is classified based on the user behaviormodel. Classifying the test sample includes determining whether the useris the legitimate user or an imposter. In various embodiments,classifying the test sample includes extracting the portion of thefeatures that have consistent values for all of the training samplesfrom the test sample, extracting test behaviors corresponding to theportion of the features from the test sample, and comparing the testbehaviors extracted from the test sample to the behaviors correspondingto the training groups based on the user behavior models.

In some embodiments, if it is determined that the user is the legitimateuser, the user may be allowed to access the touch screen device.However, if it is determined that the user is an imposter (i.e., anyoneother than the legitimate user), the user may be denied access to thetouch screen device.

The process flow diagram of FIG. 6 is not intended to indicate that theblocks of the method 600 are to be executed in any particular order, orthat all of the blocks are to be included in every case. Further, anynumber of additional blocks not shown in FIG. 6 may be included withinthe method 600, depending on the details of the specific implementation.For example, in some embodiments, the method 600 is executed for each ofa number of actions performed on the touch screen, wherein each actionincludes an input of a specified gesture. Further, in some embodiments,the specified gestures are ranked based on the accuracy of thelegitimate user in inputting the training samples for the correspondingactions, and a test sample corresponding to each action is acquired andclassified in a descending order based on the ranking of the specifiedgestures. The user may then be determined to be the legitimate user if amajority of the classifications for the test samples corresponding tothe actions determine that the user is the legitimate user.

The behavior based authentication procedure described herein may be usedfor a variety of applications. For example, financial institutions mayuse the behavior based authentication procedure may be used to helpeliminate credit card frauds. For example, banks may request credit cardholders to authenticate themselves by providing signatures on touchscreen devices instead of simply signing a receipt whenever they make apurchase over a certain limit. Many shopping stores already have touchscreen devices for users to provide their signatures after using theircredit cards. Currently, however, the users are not authenticated usingthose signatures. Instead, the signatures are simply stored in adatabase. Therefore, according to the behavior based authenticationprocedure described herein, the touch screen devices that are already inuse at shopping stores may be used to provide actual authentication forcredit card users.

Furthermore, financial institutions may use the behavior basedauthentication procedure described herein to help eliminate ATM frauds.To illegally draw money from ATM machines, an attacker may install apassive card reading device on a public ATM. The passive card readingdevice may be used to read information contained on the magnetic stripof a debit card. In addition, a spy camera may be used to capture avideo of the card holder entering his PIN code. The attacker may thencreate a fake debit card using the obtained information and withdrawmoney from the account using the fake debit card. Therefore, since ATMstypically include touch screens, the behavior based authenticationprocedure described herein may be used to help eliminate such fraudulenttransactions by authenticating debit card users based on user behavior,rather than authenticating debit card users based only on the input of aPIN code.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

1. (canceled)
 2. A method for behavior based authentication for touchscreen devices, comprising: acquiring a plurality of training samplescorresponding to a first action and a second action performed on a touchscreen of a touch screen device by a legitimate user, wherein amulti-finger gesture comprises the first action and the second action;generating a user behavior model based on the plurality of trainingsamples, what features of the training samples by multiple users, andhow features of the training samples by distinct users, wherein the whatfeatures comprise a displacement magnitude, and wherein the how featurescomprise the displacement magnitude; acquiring a test samplecorresponding to the first action performed on the touch screen, by auser; acquiring a test sample corresponding to the second actionperformed on the touch screen, by the user; and classifying the testsample based on the user behavior model, wherein classifying the testsample comprises determining whether the user is the legitimate user oran imposter, including by automatically adjusting a time resolution foreach of a plurality of subparts of an input of the first action and thesecond action until and in order to obtain consistent feature values forthe subparts for different locations of the first action and the secondaction.
 3. The method of claim 2, wherein generating the user behaviormodel comprises: extracting features corresponding to the first actionfrom the training samples; selecting a portion of the features that haveconsistent values for all of the training samples; extracting behaviorscorresponding to the portion of the features from the training samples;and partitioning the training samples into a plurality of traininggroups based on the behaviors corresponding to the portion of thefeatures, wherein each of the training groups corresponds to one of thebehaviors.
 4. The method of claim 3, wherein the user behavior model isgenerated for each of the training groups by training a support vectordistribution estimation (SVDE) based classifier for each of the traininggroups.
 5. The method of claim 3, wherein classifying the test samplecomprises: extracting the portion of the features that have consistentvalues for the training samples from the test sample; extracting aplurality of test behaviors corresponding to the portion of the featuresfrom the test sample; and comparing the test behaviors extracted fromthe test sample to the behaviors corresponding to the training groupsbased on the user behavior models.
 6. The method of claim 2, wherein thefirst action and the second action correspond to user authentication forthe touch screen device, and wherein the method comprises: allowing theuser to access the touch screen device if the user is the legitimateuser; and denying the user access to the touch screen device if the useris the imposter.
 7. The method of claim 2, wherein the first action andthe second action correspond to user authentication for a credit card ora debit card.
 8. The method of claim 2, comprising executing the methodfor each of a plurality of actions performed on the touch screen,wherein each of the actions comprises an input of a specified gesture.9. The method of claim 8, comprising ranking the specified gesturecorresponding to the plurality of actions based on an accuracy of thelegitimate user in inputting a plurality of training samples for theactions, wherein acquiring and classifying the test sample is based onthe ranked specified gesture.
 10. The method of claim 9, comprisingdetermining that the user is the legitimate user based on a majority ofclassifications for the test samples.
 11. The method of claim 2, whereinthe first action comprises an input of a specified gesture by one ormore fingers of the legitimate user, and wherein the second actioncomprises an input of the specified gesture by one or more fingers ofthe user.
 12. A touch screen device, comprising: a touch screen; aprocessor that is adapted to execute stored instructions; and a systemmemory, wherein the system memory comprises code configured to: acquirea plurality of training samples corresponding to a first action and asecond action performed on a touch screen of a touch screen device by alegitimate user, wherein a multi-finger gesture comprises the firstaction and the second action; generate a user behavior model based onthe training samples, what features of the training samples by multipleusers, and how features of the training samples by distinct users,wherein the what features comprise a displacement magnitude, and whereinthe how features comprise the displacement magnitude; acquire a testsample corresponding to the first action performed on the touch screen,by a user; acquire a test sample corresponding to the second actionperformed on the touch screen, by the user; and classify the test samplebased on the user behavior model, wherein classifying the test samplecomprises determining whether the user is the legitimate user or animposter, including by automatically adjusting a time resolution foreach of a plurality of subparts of an input of the first action and thesecond action until and in order to obtain consistent feature values forthe subparts for different locations of the first action and the secondaction.
 13. The touch screen device of claim 12, wherein the systemmemory comprises code configured to: extract features corresponding tothe first action from the training samples; select a portion of thefeatures that have consistent values for the training samples; extractbehaviors corresponding to the portion of the features from the trainingsamples; and partition the training samples into a plurality of traininggroups based on the behaviors corresponding to the portion of thefeatures, wherein each of the training groups corresponds to one of thebehaviors.
 14. The touch screen device of claim 13, wherein the userbehavior model is generated for each of the training groups by traininga support vector distribution estimation (SVDE) based classifier foreach of the training groups.
 15. The touch screen device of claim 13,wherein the system memory comprises code configured to: extract theportion of the features that have consistent values for all of thetraining samples from the test sample; and extract test behaviorscorresponding to the portion of the features from the test sample,wherein the test sample is classified by comparing the test behaviorsextracted from the test sample to the behaviors corresponding to thetraining groups based on the user behavior models.
 16. The touch screendevice of claim 12, wherein the first action and the second actioncorrespond to user authentication for the touch screen device, andwherein the system memory comprises code configured to: allow the userto access the touch screen device if the user is the legitimate user;and deny the user access to the touch screen device if the user is theimposter.
 17. The touch screen device of claim 12, wherein the firstaction comprises an input of a specified gesture by one or more fingersof the legitimate user, and wherein the second action comprise an inputof the specified gesture by one or more fingers of the user.
 18. Thetouch screen device of claim 12, wherein the first action comprises aninput of a signature by the legitimate user via a touch input device,and wherein the second action comprise an input of the signature by theuser via the touch input device.
 19. One or more computer-readablestorage media for storing computer-readable instructions, thecomputer-readable instructions providing for behavior basedauthentication of a touch screen device when executed by one or moreprocessing devices, the computer-readable instructions comprising codeconfigured to: acquire a plurality of training samples corresponding toa first action and a second action performed on a touch screen of atouch screen device by a legitimate user, wherein a multi-finger gesturecomprises the first action and the second action; generate a userbehavior model based on the training samples, what features of thetraining samples by multiple users, and how features of the trainingsamples by distinct users, wherein the what features comprise adisplacement magnitude, and wherein the how features comprise thedisplacement magnitude; acquire a test sample corresponding to the firstaction performed on the touch screen, by a user; acquire a test samplecorresponding to the second action performed on the touch screen, by theuser; and classify the test sample based on the user behavior model,wherein classifying the test sample comprises determining whether theuser is the legitimate user or an imposter, including by automaticallyadjusting a time resolution for each of a plurality of subparts of aninput of the first action and the second action until and in order toobtain consistent feature values for the subparts for differentlocations of the first action and the second action.
 20. The one or morecomputer-readable storage media of claim 19, wherein classifying thetest sample comprises determining whether a same user performed both thefirst action and the second action, and wherein the computer-readableinstructions comprise code configured to: unlock the touch screen deviceif the same user performed both the first action and the second action;and do not unlock the touch screen device if the same user did notperform both the first action and the second action.
 21. The one or morecomputer-readable storage media of claim 19, wherein the first actionmay be divided into subparts at a plurality of time resolutions.